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DTM  -  Motivation 


•  Distributed  system  defenses  built  as  “islands” 

-  Forced  to  make  assumptions  re:  topology,  other  defenses  ... 

•  Locally  correct,  globally  incorrect  security  enforcement 

-  Assumptions  fail  or  are  exploited  by  attackers! 

•  Our  work  is  motivated  by  real  security  incidents 
experienced  first  hand 

-  “Pushing  Boulders  Uphill:  The  Difficulty  of  Network  Intrusion  Recovery” 

Michael  E.  Locasto,  Matthew  Burnside,  and  Darrell  Bethea.  In  Proceedings  of  the  23rd  Large  Installation 
System  Administration  (LISA)  Conference.  November  2009,  Baltimore,  MD. 


•  DTM  forces  these  assumptions  in  the  open,  allowing 
systems  to  verify  them  continuously 
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Overall  Approach 


•  Define  policies  that  take  into  consideration 
system-wide  context 

-  Extend  security  mechanisms  to  emit  contextual 
information  (continuous  or  event-based) 

-  Distribute  information  to  interested  components 

•  Integrate  IDS/ADS,  access  control,  reaction 

•  Challenges: 

-  Accuracy  (extracting  data  from  noise) 

-  Complexity  (defining  policies) 

-  Performance  (scale  with  users,  system,  events) 


cu 


06/10/2010 


MURI  Review  Meeting 


3 


Arachne 


POLICY 


Sensors 


1 

P  Events 

1  1  V  V 

r  i 

r  v  ^ 

r  ^ 

r  B 

NETWORK:  applications,  network  links,  routers,  etc. 

Actuators 


•  ARACHNE  is  a  system  for  the  coordinated  distribution  and  evaluation 
of  a  system-wide  policy  on  different  nodes 

-  Several  prototype  systems  for  enterprise-level  security  have  been  developed 

•  GOAL:  Integrate  a  variety  of  different,  diverse  security  mechanisms 
and  policy  expression  methods 

-  Achieve  enhanced  protection  over  any  individual  method 

-  Allow  exchange  of  information  between  different  mechanisms  (Eliminate  the 
possibility  of  “locally  correct”  but  globally  wrong  decisions 

-  Capture  trade-offs  between  amount  of  global  context,  scalability,  etc. 
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Specific  Tasks  (Years  1-3) 


•  Develop  language  for  expressing  DTM  policies 

-  "Arachne:  Integrated  Enterprise  Security  Management” 

Matthew  Burnside  and  Angelos  D.  Keromytis.  In  Proceedings  of  the  8th  Annual  IEEE  SMC  Information 
Assurance  Workshop  (IAW),  pp.  214  -  220.  June  2007,  West  Point,  NY. 

•  Design  DTM  architecture 

-  " Asynchronous  Policy  Evaluation  and  Enforcement” 

Matthew  Burnside  and  Angelos  D.  Keromytis.  In  Proceedings  of  the  2nd  Computer  Security 
Architecture  Workshop  ( CSAW ),  pp.  45  -  50.  October  2008,  Fairfax,  VA. 

•  Collaborative/Distributed  policy  enforcement 

-  "F3ildCrypt:  End-to-End  Protection  of  Sensitive  Information  in  Web  Services” 

Matthew  Burnside  and  Angelos  D.  Keromytis.  In  Proceedings  of  the  12th  Information  Security 
Conference  (ISC),  pp.  491  -  506.  September  2009,  Pisa,  Italy. 

-  "Path-based  Access  Control  for  Enterprise  Networks” 

Matthew  Burnside  and  Angelos  D.  Keromytis.  In  Proceedings  of  the  11th  Information  Security 
Conference  (ISC),  pp.  191  -  203.  Taipei,  Taiwan,  September  2008. 
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Contributions 


•  Framework  for  integrating  all  types  of  defenses 

•  Proof  of  feasibility 

-  Prototype,  preliminary  performance,  security 
analysis 

•  Initial  exploration  of  design  options 

•  Education  (GRA  training,  coursework  integration) 

•  Outreach 

-Tech  transition  to  the  government  (operations) 
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Future  Directions 


•  Continue  work  on  refining  architecture  and  system 

-  Explore  performance/scalability,  effectiveness, 
overhead  tradeoffs 


•  Integrate  with  QTM 

-  Particularly  important  in  federated  systems 
(e.g.,  dynamically  composable  SOAs) 


•  Investigate  the  use  of  reactive  mechanisms 
-  Global  coordination  of  dynamic  defenses 
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Expected  Contributions  in  Years  4  &  5 


•  Proof  of  feasibility 

-  Experimentation  in  real  environment 

•  Exploration  of  design  and  implementation  space 

•  Use  of  active  defenses  and  deceit 

-  Can  we  challenge  attackers’  (trust) 
assumptions? 
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Outreach  and  Education 


•  Integrated  material  into  COMS  W4180  course 

•  2  invited  talks  (beyond  conference  talks)  and  1  panel 

•  Main  Ph.D.  GRA  now  working  for  NSA  (R23) 
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Work  on  Rogue  AV  Campaigns 


•  Working  with  Symantec  to  determine  modus 
operandi  of  rogue  AV  sites  (and  why  users  trust 
them) 

"Gone  Rogue:  An  Analysis  of  Rogue  Security  Software  Campaigns" 

Marco  Cova,  Corrado  Leita,  Olivier  Thonnard,  Marc  Dacier,  and  Angelos  D.  Keromytis.  In 
Proceedings  of  the  5th  European  Conference  on  Computer  Network  Defense  (EC2ND). 
November  2009,  Milan,  Italy.  (Invited paper) 

“An  Analysis  of  Rogue  AV  Campaigns’’ 

Marco  Cova,  Corrado  Leita,  Olivier  Thonnard,  Marc  Dacier,  and  Angelos  D.  Keromytis.  To 

appear  in  the  Proceedings  of  the  13th  International  Symposium  on  Recent  Advances  in  Intrusion 
Detection  (RAID).  September  2010,  Ottawa,  Canada. 
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Report:  Antivirus  2009  Professional 

Category :  Internet  Fraud 

Antivirus  2009  Professional  This  not  only  a  scam.. IT  IS  A  VIRUS  II  Windows  Security  had  to  clean  the  system,  took  18  hrs 
to  remove  the  virus.  DO  NOT  INSTALL  THIS  PROGRAM,  REGARDLESS  OF  WHAT  THE  "POP-UPS"  TELL  YOU  I!  Internet 


Antivirus  2009  Professional 

Phone: 

, Internet  Fax: 

U.S.A. 


Poplar  Branch,  North  Carolina 


Antivirus  2009  IS  a  vims.  It  appears  on  your  log  in  page  and  will  continue  as  "pop  up"  giving  you  dire  warnings 
about  your  computer's  vuinerbilities.  Don't  believe  it!  Go  back  to  your  start  menu  and  contact  your  system's 
security  center.  It  took  Windows  almost  2  days  to  determine  the  source,  then  resolve  it. 

I  also  will  now  have  to  go  to  the  bank  and  cancel  my  card.  There  are  hidden  charges,  and  will  appear  as 
$109,82.  And  you  cannot  print  the  confirmation,  it  freezes  your  system  completely  I! 

Don't  be  tricked  into  this  as  many  of  us  have. ...contact  Windows,  Microsoft,  BEFORE  you  install  anything.  They 
are  already  aware  of  this  scam. 

(And  the  overlaps  and  ads  from  this  virus  are  lude  and  offensive,  so  be  sure  you  have  your  kids  check  with  you 
if  they  see  the  original  "warning"  that  your  computer  is  Infected!) 

Kate 

Poplar  Branch,  North  Carolina 
U.S.A. 


Submitted:  Thursday,  August  21,  2DDB 
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how 
to  get 


Rebuttal  Box 
Respond  to  this 
report! 


f  File  a  Rebuttal  ) 


Victim  of  this 
person  /co  m  p  a  ny  ? 


([File  a  Report) 


(Courtesy  of  http://www.ripoffreport.com/) 


cu 


06/10/2010 


MURI  Review  Meeting 


Rogue  AV 


•  Misleading  application 

•  Pretends  to  be  legitimate  security  software,  such 
as  an  anti-virus  scanner 

•  Offers  little  or  no  protection 

•  Often  facilitates  installation  of  same  malware  it 
pretends  to  protect  from 
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How  “little”  is  too  little? 


•  False  alerts  only 

-Tens  of  alerts  on  freshly  installed  machine 

•  “Selective”  alerts 

-  IE  Defender  spreads  via  Zlob  malware 

-  After  installation,  it  correctly  detects  Zlob 

•  “1980-style”  alerts 

-  Filename,  registry  path  checks 

•  Sometimes  come  with  EULA... 
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Once  your  browsing  habits  are 
analyzed,  you  are  flooded  with 
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Spam  from  inside  your  PC! 
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Protect  your  PC  with  innovative  technology 
of  Green  Antivirus  ‘09  and  prevent  further  infection. 


Green  AV  an  award-winning  spyware 
removal  utility  will  help  you  fighting  all 
kinds  of  spyware  and  adware  including 
keyloggers,  trojan  horses,  password 
thieves. 


Spyware  also  dramatically  slows 
down  your  computer  and  Internet 
connection  speeds. 


100%  remove  of  malicious  software,  viruses,  spyware, 
malware  etc. 


Environmental  Story 


Spyware  collects  your  private 
information  and  steals  your  identity, 
passwords,  credit  card  details  and 
other. 
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*  100%  COMPATABILITY 
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Removes  suspicious  files,  Facebook  and 
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Protect  personal  information  from  phishing. 


Environment  care  program. 

$2  dollars  from  every  sale  will  be 
sent  on  saving  green  forests  in  Amazonia. 


Have  more  questions? 

You  can  contact  us  easy  via  Online  Support. 


Fighting  viruses,  spyware,  malware  is  not 
only  a  question  of  security.  Spyware 
actualy  abuses  your  computer,  overuses 
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your  PC  run  slow.  As  a  result  you  start 
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think  of  replacing  your  PC  with  a  new 
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ATTENTION  !  Security  Center  has  detected 
malware  on  your  computer  5 

Affected  Software: 
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Unexpected  shutdowns 
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(Courtesy  of  threatinfo.trendmicro.com 
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eWeek  Web  Site  Leads  Users  to  Rogue 
Arti-Virus  (AV)  Application 

Date:02, 24,2009 

April  15th,  2009 

Scareware  pops-up  at  FoxNews 

Posted  by  Dancho  Danchev  @  6:41  am 

USAToday.com  Ads  Redirect  to  Rogue  AV 

Pftsfcd  by  Paul  Royal  or?  77?  14  bteiy  07.  2000 

Home  >  News  >  New  York  Times  serves  up  rogue  ads  to  readers 

New  York  Times  serves  up  rogue  ads  to  readers 

Angela  Moscarilolo  September  14,  2009 


Gizmodo  victimized  by  malicious  advertising  scam 
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Distribution:  Drive-by  Downloads 


•  Victim  visits  a  legitimate  web  site,  which  has  been 
compromised  (say,  via  SQL  injection) 

•  Hidden  iframe  redirects  victim  to  malicious  site 

•  Malicious  site  launches  a  number  of  browser  and 
plugin  exploits 

•  If  successful,  exploits  download  and  run  rogue  AV 
on  the  victim’s  machine 
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Distribution:  SEO 


Google 


how  to  get  google  wave  invitation 


Search 


Other  searches: 


Web  l+l  Show  options  Results  11  -  20  c 

Google  Wave  Invitation  -  FriendFeed 

The  place  to  get  Google  Wave  invitations  (provided  by  twitter  search).  ...  #eTG8Z  RT@ 

Follow  me  and  get  an  invitation  to  Google  Wave.  ... 
friendfeed.com/google-wave-invitation  -  3  hours  ago  -  Similar 

Request  an  invitationi  to  Google  Wave  -  Google  -  Mixx 

Request  an  invitation  to  Google  Wave  here.  http://bit.ly/7hZGI  ...  Get  a  Google  Wave 
invitation  now!  Got  mine  already.  http://bit.ly/7hZQI  ... 

www. mixx.com/... /request  an  invitation  to  google  wave  google  -  6  hours  ago  -  Similar 

100000  invitations  to  preview  Google  Wave 

Sep  30.  2009  ...  According  to  Google  Google  Wave  is  an  online  tool  for  real-time  ...  I  am 
waiting  to  see  if  I  get  an  invitation  in  case  I  don't  get  an  ... 

techno!  ogy .  g  I  o  b  a  It  h  o  ug  htz .  c  o  m/. . .  /1 0  0  0  0  0-i  nvitati  o  ns-t  o-p  re vi ew-g  o  o  g  I  e  -wave/  -  1 3  h  o  li  rs 
ago  -  Similar 

GOOGLE  WAVE  INVITE 

Sep  29.  2009  ...  The  communication  tool  aspires  to  redefine  notHowto  get  an  invitation  to 
Google  Wave?  — Wavety.comJun  12.  2009  First  of  all  -  don't  spam  ... 

stats. php?blog=google-wave-invite  -  Similar 

How  the  New  Google  Wave  Will  Change  Emailing.  Blogging.  Your  Life  ... 

May  29.  2009  ...  It's  called  Google  Wave  an  online  "collaboration"  tool  that  brings  ...  more  " 

But  how  do  I  get  there?"  questions.  The  invitation  is  a  map.  ... 
b  li  s  i  n  e  s  s .  t  h  e  at  I  a  nt  i  c .  c  o  m/. . .  /h  o  w_t  h  e_n  e  w_g  o  o  g  I  e_wa  ve_wi  I  l_c  h  a  ng  e_ 
emailing_doc_sharing_blogging_your_life.php  -  Cached  -  Similar 

GOOGLE  WAVE  INVITATIONS 

Sep  29.  2009  ...  Discussions  |  FacebookWelcome  to  the  official  Facebook  Page  of  I  also  want 
an  invitation  to  Google  Wave!  Get  exclusive  content  and  interact  ... 

_ ,vacu/?...gQQgle-wave-invitation5  -  Similar _ 


Sport  events 
(“March  madness”) 

Natural  disasters 

(“Samoa 

earthquake”) 

Legit  anti-virus 
(“F-Secure”) 


(Courtesy  of  securitylabs.websense.com) 
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Distribution:  Piggyback  Trojan 


•  9  April,  2009,  Confiker  awakens,  and 

•  Downloads  a  Waledac  malware, 

•  Which  installs  SpywareProtect2009, 

•  Which  asks  for  $49.95  to  remove  “threats” 
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Distribution:  Piggyback  BHO 


'***'  1 _ 1  L=J  S  PNk 

W  ^ 

Address 

&]  http://news.google.com/ 

v  Q  Go  Links  y> 

id=sd 

A 

Web 

Imaaes  Mans  News  Shonmna  Gmail  more  ▼ 

Sian  in 

Search  News 

Search  and  hiowse  4.500  news  somces  ii|>dated  contimn 


Google  has  detected  unregistered  Antivirus  2009  copy  on  your 
computer,  Google  recommends  you  to  activate  Antivirus  2009  to 
protect  your  PC  from  malicious  intrusions  from  the  Internet. 


|>Top  Stories 


II  Wnrlfl 


Top  Stories 


News  archive  search  |  Advanced  news  search  |  Blog  search 
Auto-generated  8  minutes  ago 


"Google  recommends  you  to  activate  Antivirus  2009 
to  protect  your  PC 

from  malicious  intrusions  from  the  Internet" 
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Products 


Rank  Product 


1  Spyware  Guard  2008 

2  AntiVirus  2008 

3  AntiVirus  2009 

4  Spyware  Secure 

5  XPAntivirus 

6  WinFixer 

7  SafeStrip 

8  ErrorRepair 

9  Internet  Antivirus 
10  DriveCleaner 


Over  250  rogue  AV  programs,  according  to  Symantec. 
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(Courtesy  of  http://rogueantispyware.blogspot.com/) 
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Rebranding 


•  Changes  in  the  name,  logos,  pictures  of  a  rogue 
AV 

•  Helps  evade  detection  if  original  version  of  the 
rogue  AV  has  been  discovered 

•  Minimizes  the  impact  of  credit  card  chargebacks 
and  payment  reversals 
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Basic  Business  Model 


•  Rogue  AV  basic:  $0 

•  Rogue  AV  full:  $30-$100 

•  Multi-year  licensing:  ~$20  more 

•  Bundling  other  applications:  ~$20  more 

•  Fraudulent  credit  card  transactions:  $$$ 
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From  Basic  to 


Q  Security  Warning 


m 


You  computer  is  infected  with  malicious  software.  You  should 
use  antivirus  product  to  remove  it.  Click  this  message  to 
purchase  recommended  antivirus  software. 


j 


j  ® 


"Click  this  message  to 
purchase  recommended 
antivirus  software" 
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WARNING  Antivirus  2009  Alert! 


New  database  update 
is  available 


Automatic  updating  is  necessary  to  get  your  system 
protected  in  real  time  against  new  and  emerging 
viruses,  worms  and  trojans. 

Regular  updating  is  needed  to  prevent  your  PC 
from  the  latest  virus  threats  that  can  lead  to  system 
slowdown,  freezes,  crashes  and  data  loss. 

Viruses  detected  on  your  PC 


What  would  you  like  to  do? 


Remind  me  later 


Update  Now 


"Regular  updating  is 
needed" 
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Affiliate-based  Business  Model 


•  Affiliates  are  given  a  range  of  links  and  JavaScript 
snippets 

•  Links  and  scripts  embedded  in  shady  or 
compromised  sites 

•  Victim  visits  affiliate-controlled  web  site  and  pays 
for  full  version  of  rogue  AV 

•  Affiliate  responsible  for  generating  installation  is 
paid  60%  of  installation  revenue 

•  In  economic  lingo:  “Affiliate-based,  pay-per-sale 
model” 
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T  rafficConverter.biz 


•  Web  site  used  to  manage  affiliate 

-  Provides  support  (files,  links,  etc.) 
-Tracks  installation  and  sales 

•  Bonus  programs 

-  VIP  points 

-  Contests  for  top-selling  affiliates  (win  a 
Mercedes) 

•  Database  snatched  by  security  researchers 
before  its  shutdown  in  November  2008 
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T  rafficConverter.biz 


Affiliate  earnings 

•  500  active  affiliates 

•  Per-sale  price:  $30 

•  Top  affiliate  purportedly 
earning  $332K  in  one 
month  (!) 

•  Top-10  affiliates 
purportedly  earning 
$23K/week 
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Per-installation  price 

Country 

Price 

United  States 

$0.55 

United  Kingdom 

$0.52 

Canada 

$0.52 

Australia 

$0.50 

Spain 

$0.16 

Ireland 

$0.16 

France 

$0.16 

Italy 

$0.16 

Germany 

$0.12 

Belgium 

$0.12 

Rogue  AV  Campaigns 


•  Coordinated  effort  by  cyber-criminals  to  distribute 
and  profit  from  a  rogue  AV 

•  Components: 

-  Malware  code 

-  Infrastructure  used  to  distribute  it 

-  Victims  that  fall  for  it 
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Campaign  Analysis 


Data: 

•  2  months  in  summer  2009 

•  4,305  rogue  AV-hosting  servers  (IP  addresses) 

•  6,500  domains 
Goals: 

•  Infrastructure 

-  How  created  and  managed 

-  Identify  related  sites 

•  How  it  affects  clients 
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Whac-a-mole? 
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Identifying  Campaigns 


•  Assumption:  campaign  is  managed  by  a  group  of 
people,  who  are  likely  to  reuse,  at  various  stages 
of  the  campaign,  the  same  techniques,  strategies, 
and  tools 

•  Approach:  look  for  emerging  patterns  in 
infrastructure  components  (web  sites) 
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Features 


•  IP  address 

•  DNS  domain  names 

•  Geolocation 

•  Server  identification  name  and  version 

•  ISP 

•  ASN 

•  DNS  registrar 

•  DNS  registrant 

•  Uptime 
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Multicriteria  Clustering 


•  TRIAGE 

-  =  atTRIbution  of  Attack  phenomena  using  Graph-based  Event  clustering 

•  Multicriteria  clustering  method 


Features 

Selection 


f 


l' 


Per  feature 

Graph-based  clustering 


Multicriteria 

Aggregation 


Combined 

Graph 
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TRIAGE:  a  “simple”  example 


registrants 
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78.159.122^) 


IP  networks 


G 


I7-Oct-2008 


308 1 
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41 


A  slightly  more  complex  example 


750  domains  registered 
over  a  span  of  8  months 


Email  addr.  hidden  by  privacy 
protection  services 


>  Time 


-2008 

- — 


0 


c 


2  7 -Feb-2  009 
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A  slightly  more  complex  example 


pnn5d.cn 


krhz9.cn  fn 


6d5hs.cn 


4hejo.cn 


ncsni 


«<r/  nxf32.cn 


izomt.cn 


xsmf7.cn 


7vw3i. 


5074-7.cn 


6tnkl.cn 


fluam.cn 


8vpdf.cn 


-C ys4fh.cn  ' | 
:  V-- — 


v5sgw.cn 


ijpmc.cn 


mxl9m.or 
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t2bu>.cn  r 
I  vpy'Vcn 
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nOoll.cn 


ic  m4!i 


iszem.cn 
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qg2uk.cn 


4vh\/o. 
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jdwz7.cn 


o4odd.cn 
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Cluster  Results 


•  39  clusters  with  at 
least  10  domains 

•  They  account  for 
-70%  dataset 


Empirical  CDF  of  clusters  size 
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Server  Geolocation 
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Nr  of  domains 


Server  IPs 
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IPv4  space  (Class-A  subnets) 
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Rogue-friendly  Networks? 
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Activating  Sites 


In  one-day  interval: 

•  Moved  3  sites  from  GoDaddy's  parking  servers  to 
active  servers 

•  Consolidated  4th  site 
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Deactivating  Sites 
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Rogue  AV  Registrants 


Registrant’s  email 
domain 

#  Sites 

gmail.com 

1 ,238  (30%) 

id-private. com 

574  (14%) 

whoisprivacyprotect.com 

533  (13%) 

privacyprotect.org 

1 25  ( 3%) 

mas2009.com 

101  (2%) 

Registrants  seem  to  value  their  privacy... 
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Beyond  the  Graphs 


•  Automate  the  identification  of  campaigns 

•  Insights  into  how  cyber  criminals  operate 

-  Registration  strategy  (time) 

-  Name  schemes 

•  Attack  attribution/understanding 

•  Future  work:  early  warning  system 
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Clients 


•  6  of  the  rogue  AV-hosting  servers  leaked 
information  about  their  clients 

-  Site  name 
-Client  IP 

-  Client  Request 

•  No  access  to  content  of  communication 

•  45-day  monitoring 

•  372,096  distinct  client  IP  addresses 
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(Potential)  Victim  Geolocation 
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Request  Types 


•  Scan 

•  Download 

•  Update 

•  Payment  form 

•  Payment  confirmation 

•  Report 
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Rogue  AV  Effectiveness 
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On  sites  we 
monitored: 

•  1.26%  of  users 
visit  payment 

page 

•  0.03%  attempt 
to  complete 

purchase 
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Interaction  Duration 
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Conclusions 


•  Rogue  AV  significant  threat 

-  “Products” 

-  Distribution  mechanisms 

-  Developed  economy 

•  Our  contributions 

-  Understanding  infrastructure 

-  Identifying  related  sites 

-  Insights  into  modus  operandi  criminals 

-  Inside  look  at  victims  (potential  and  actual) 
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Some  Legal  Victories 


•  Washington  State’s  Attorney  General  obtained  a 
$1  million  settlement  from  Secure  Computer  LLC, 
of  White  Plains,  NY  (December  2006),  distributor 
of  Spyware  Cleaner 

•  Microsoft  and  Washington  State’s  Attorney 
General  filed  lawsuits  against  Branch  Software, 
distributor  of  Registry  Cleaner  XP 

•  FTC  obtained  $1 .9  million  settlement  from 
distributors  of  WinFixer,  WinAntivirus, 
DriveCleaner,  ErrorSafe,  and  XP  Antivirus 
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